The Private Security State?

Transcription

1 ISBN: The Private Security State? The last decade has witnessed the emergence of a surveillance- industrial complex as securitised data about customers begins to flow between the private sector and government. Governments and their security agencies are mandating businesses to transfer data about their customers in a number of key industrial sectors. Organisations in financial services, travel and latterly, communications, now provide the very data which enable decisions about risk and security deployment to be made. This book revolves around case studies of two surveillance regimes: The Anti-Money Laundering/Counter Terror Finance regulations in retail financial services; and the eborders regulations in the retail travel industry. The Private Security State? examines how these new government demands for information intertwine with the activities of private sector organisations, as their systems, processes, custo mers and employees are integrated into national security frameworks. Through detailed empirical analysis it questions how private sector organisations achieve compliance with demands for customer data. Whilst others have argued that diffused security arrangements de-politicises it, The Private Security State? shows that national se curity becomes re-politicised as it re-surfaces in the politics of production within the business enterprise. The Private Security State? Surveillance, Consumer Data and the War on Terror Kirstie Ball, Ana Canhoto, Elizabeth Daniel, Sally Dibb, Maureen Meadows and Keith Spiller Omslag med zoomburst.indd 1 25/02/

2 The Private Security State?

3

4 Kirstie Ball, Ana Canhoto, Elizabeth Daniel, Sally Dibb, Maureen Meadows and Keith Spiller The Private Security State? Surveillance, Consumer Data and the War on Terror

5 Kirstie Ball, Ana Canhoto, Elizabeth Daniel, Sally Dibb, Maureen Meadows and Keith Spiller The Private Security State? Surveillance, Consumer Data and the War on Terror 1. edition 2015 CBS Press 2015 Cover: SL grafik (slgrafik.dk) Typeset: SL grafik Print: Eurographic Danmark A/S E-bog ISBN: Tryk bog ISBN: CBS Press Rosenørns Allé Frederiksberg C slforlagene@samfundslitteratur.dk cbspress.dk All rights reserved. No part of this publication may be reproduced or used in any form or by any means graphic, electronic or mechanical including photocopying, recording, taping or information storage or retrieval systems without permission in writing from CBS Press.

6 Contents Acknowledgements 7 List of abbreviations 9 List of tables, figures and images 11 CHAPTER ONE Consumer data and the war on terror 13 The new political economy of security and surveillance CHAPTER TWO Market logics and regulation 29 Theorising private sector involvement in national security surveillance CHAPTER THREE Shaping the regimes 55 Stakeholders and their interests CHAPTER FOUR Secure information flows? 73 Tensions, disruptions and realignments in information infrastructures CHAPTER FIVE The strategic response 93 Recognising, rationalising and refashioning in the retail travel customer relationship CHAPTER SIX Embedded adaptations 109 Renegotiating and reworking in the financial services customer relationship

7 CHAPTER SEVEN Cross-selling for security 137 Remediation work at the retail travel front-line CHAPTER EIGHT Compliance conquers all? 153 Remediation work at the financial services front-line CHAPTER NINE The private security state 169 Responsibilisation, surveillance and security CHAPTER TEN The out-takes 189 Reflections on interdisciplinary working References 207 Appendices 229

8 Acknowledgements Acknowledgements Acknowledgements There are a number of individuals and organisations without whom this work would not have been possible. First we would like to thank the Leverhulme Trust for funding the work. Thank you for putting your faith in a team of business academics to shed light on the important questions of surveillance, security and the private sector. Second we would like to thank all of the anonymous participants in the fieldwork who so freely gave of their time to share their views with us. We would also like to thank the many industry associations who helped to facilitate access to different participants. In particular we would like to thank Richard Taylor at Travel Weekly, Doreen McKenzie of the ABTA Airlines Group, Timon Molloy at The Money Laundering Bulletin and the Institute of Money Laundering Prevention Officers who allowed us to attend their events. We would like to express our gratitude to the many academic friends and colleagues who have engaged with this work throughout the course of its life and have generously given us encouragement as well as their views on its development. In particular we would like to thank David Lyon, The New Transparency Project and Joan Sharpe, without which this work would not have been conceived. We would also like to thank Steve Graham who suggested the title for the book. We would like to thank many of our colleagues who, directly or indirectly, influenced the direction of the work: Anthony Amicelle, Louise Amoore, Caroline Clarke, Sara Degli Esposti, Marieke DeGoede, MariaLaura DiDomenico Gilles Favarel, Kevin Haggerty, Gerry Hanlon, Ben Hardy, Richard Holti, Jef Huysmans, Gavin Jack, David Knights, Reinhard Kreissl, David Murakami Wood, Mike Mc- Cahill, Clive Norris, Andras Pap, Jason Pridmore, Michael Nagenborg, Charles Raab, Caroline Ramsey, Bence Ságvarí, John Storey, Pinelopi Troulinnou, David C Wilson, William Webster, Dean Wilson and Nils Zurawski. We would also like to thank the participants in the 4th and 5th Biannual Surveillance and Society Conferences, Meiji University (Dis)embodiment unconference attendees in December 2013, various Living in Surveillance 7

9 Acknowledgements Societies EU-COST network events, the members of the IRISS and SurPRISE FP7 consortia and the CRISP and Surveillance Studies Centre Doctoral Training workshops. Finally we would like to thank Stewart Clegg and his colleagues at the Copenhagen Business School Press for encouraging us to write this book. 8

10 List of abbreviations List of abbreviations List of abbreviations ABTA: Association of British Travel Agents AML/CTF: Anti-Money Laundering/Counter Terror Finance AML: Anti-Money Laundering APIS: Advanced Passenger Information Systems ARA: Asset Recovery Agency (now part of SOCA) BA: British Airways BAR UK: Board of Airline Representatives for the United Kingdom BBA: British Bankers Association BV: Best Value CD: Compact Disc CDD: Customer Due Diligence CRM: Customer Relationship Management CSR: Corporate Social Responsibility DNA: Deoxyribose Nucleic Acid DVLA: Driver and Vehicle Licensing Agency EU: European Union FATF: Financial Action Task Force FISA: Foreign Intelligence Surveillance Act FSA: Financial Services Authority G-7: The Group of Seven Industrialised Nations GDS: Global Distribution System HMC: Home Affairs Committee II: Information Infrastructures IOS: Interorganisational Systems IT: Information Technology JMLSG: Joint Money Laundering Steering Group KYC: Know Your Customer LACTEW: Los Angeles County Terrorism Early Warning System LEA: Law Enforcement Agencies MLRO: Money Laundering Reporting Officer 9

11 List of abbreviations NBTC: National Border Targeting Centre NCA: National Crime Agency NPM: New Public Management NSA: National Security Agency NSL: National Security Letters OFCOM: Office of Communications OFWAT: Office of Water Services OTA: Office of Technology Assessment PNR: Passenger Name Record PPP: Public-Private Partnership SAR: Suspicious Activity Report SOCA: Serious Organised Crime Agency SWIFT: Society for Worldwide Interbank Financial Telecommunication UK: United Kingdom UKBA: United Kingdom Border Agency US: United States USA: United States of America 10

12 List of tables, figures and images List of tables, figures and images List of tables, figures and images Table 2.1. Management-based strategies (Coglianese and Nash, 2006: 14) 42 Table 3.1. Stakeholders in the eborders programme 61 Table 3.2. Stakeholders in AMC/CTF Table 4.1. Tensions associated with the II schemes Table 6.1. Structure of the survey instrument 115 Table 6.2. Descriptive statistics Table 6.3. Results of exploratory factor analysis Figure 3.1. Stakeholder structure for the eborders scheme 63 Figure 3.2. Stakeholder structure for the AML/CTF scheme 68 Figure 6.1. CRM pre-requisites and AML correlations 121 Figure 6.2. Strategic deployment of technology correlations 122 Figure 6.3. Customer knowledge capabilities correlations 242 Figure 6.4. Strategic customer focus correlations 243 Figure 6.5. Staff correlations 244 Figure 9.1. Travel industry surveillant mid-range 174 Figure 9.2. Financial services industry surveillant mid-range 175 Image Image Image Image Image Image Image Image Image Image

13 12 List of tables, figures and images

14 Consumer data and the war on terror CHAPTER ONE Consumer data and the war on terror The new political economy of security and surveillance Consumer data and the war on terror The last decade has witnessed a blurring of the boundaries between public and private sector organisations in relation to national security. This blurring of boundaries has expanded from the private provision of physical security services and infrastructure, to the provision of the very data which enable decisions about risk and deployment to be made. Pre-empting the moves of risky, targeted individuals using vast datasets gleaned from any 13

15 CHAPTER ONE number of sources is de rigueur in neoliberal government discourse and doctrine. In this new politics of pre-emption, mined data about the past transactions and activities of citizens become the template for risk analysis about future threats (DeGoede, 2008) and produces a contemporary world where new securitised data flows between the private sector and government are forged. A political focus on the prevention of terror, catching suspects before threats materialise and denying suspected individuals access to material and financial resources, mobility and communications has driven security policy developments in the last 15 years, both in the USA, Europe and Australia. Marieke DeGoede (2008:163) argues that this move towards pre-emption: has the consequence of creating an extra-legal field of intervention in which administrative bureaucracies, immigration officials, consultants and financial dataminers are authorized to make sovereign decisions concerning the normality and abnormality of particular persons, behaviours and transactions, and to detain, question, monitor and freeze those considered abnormal. Information about financial transactions, locations, and communications of citizens is among the most important and valuable for national security. 1 This book examines the implications of this policy move to pre-emption for the private sector organisations that are mandated to provide such information: those who are empowered to make these sovereign decisions. How do these new government demands for information intertwine with the activities of private sector organisations, as their systems, processes, customers and employees are integrated into national security frameworks? National security processes are becoming diffused, decentralised and embedded into the consumption and employment processes which enable everyday life to function (Huysmans, 2011). How do private organisations achieve compliance with demands for customer data, how are their business operations altered and how are customer relationships and employees affected? 1 US Director of National Intelligence, James R. Clapper, statement Thursday May 31st

16 Consumer data and the war on terror National security/public-private Now running into its second post 9/11 decade, the expansive reach of the so called War on Terror has reached a new level of maturity. Much of what we discuss in this book and indeed much of what has interested surveillance commentators, is the increasing prevalence and intensity of surveillance regimes on civilian populations or in the homeland. There are numerous examples of such intensification: at the more obvious sites such as airports (Adey, 2009; Wagenaar and Boersma, 2012), and mega-events (Bennett and Haggerty, 2011; Giulianotti and Klauser, 2010; Fussey and Coaffee, 2011), particularly the use of drones (Surveillance Studies Network, 2006; Finn and Wright, 2012; Graham, 2012) to shopping malls (Koskela, 2000) and train stations (Adey et al., 2013). Moreover, the financial costs of mega-events and the rewards received by a coterie of technological firms such as Siemens and Cisco, raise further questions: are these measures warranted, what is their legitimacy and what of the profiteering that results for security businesses (Samatas, 2005)? Collaboration between large defence contractors and the government has been a common feature of these developments. In the UK, government and the private sector have worked together on a number of fronts to intensify surveillance of the population. Recent, noteworthy collaborations have been between the DVLA and Experian in order to check on the background of drivers who make licence applications (Surveillance Studies Network, 2010) and between the various national governments and numerous large security companies in the securitising of mega-events such as the Olympics (Bennett and Haggerty, 2011). Public-private collaboration was also an outcome of the many statutes which have been made law since 9/11. Britain s special relationship with the USA in international security matters has had no small part to play here, extending, as it does, back to World War II. After George W. Bush called for Total Information Awareness in 2001, and amidst pressures from the international community, it is perhaps no co-incidence that the New Labour government enacted a series of laws e.g. the Anti-Terrorism, Crime and Security Act 2001, the Proceeds of Crime Act 2002, the Identity Card Act 2006 and the Immigration, Asylum and Nationality Act 2006, the Counter Terrorism Act 2008 which mandated the mass collection of communications, financial, identification and travel data from the general population respectively. 15

17 CHAPTER ONE Although some of these laws have fallen by the wayside, notably the National Identity Card scheme, which was abandoned in 2011, 2 a draft of new anti terror laws have been enacted or are proposed. It is the latest in a string of measures, which involve the private sector in national security. DRIPA (2014) reinstates the defunct Communications Data Bill and extends the UK government s communication surveillance powers internationally. The proposed legislation is premised on the private sector gathering, storing and transferring data to government when required. Internet service providers have to store communications data in the UK such as the time, duration, originator and recipient of a communication and the location of the device from which it was made for one year. Web browsing history and details of activity on social media, , voice calls over the Internet and gaming, in addition to phone calls would also be stored. Police could then access the details of the communication if investigating a crime, but would have to get a warrant from the Home Secretary to see the content of messages. One of the criticisms of the Bill raised by Liberty, a UK-based civil rights campaign organisation, were the potential dangers of outsourcing the monitoring of citizens to private companies. Furthermore the instantiation of a Data Analysis Warehouse in Wythenshawe, near Manchester, which is fed by the eborders regime legislated for in 2006, mirrors the function of data fusion centers in the USA which were introduced in The Los Angeles County Terrorism Early Warning Centre (LACTEW) was the first (German and Stanley, 2008) many more have been formed in the post 9/11 era (Monahan and Palmer 2009; Monahan 2011). The centres were ostensibly designed to gather information from an array of sources and join the dots. Data sharing information sourced from state and local police services, other emergency services, intelligence agencies, as well as private companies (Monahan and Palmer 2009: 618). The intention of the centres is to focus on not only terror, but also crime, hazards, trafficking, illegal immigration and all other threats. The centralizing of information in preventing and dealing with threats is the over-riding incentive of the centres. However, while the centres are mainly located in police buildings, analysts are often external contractors with, as Monahan (2011) argues, less ethical conviction or indeed training. Private and sensitive in- 2 accessed 11th December

18 Consumer data and the war on terror formation available to contractors can include credit reports and banking details. Further tools of extracting information include National Security Letters (NSL), which allows governmental agencies to secure personal information from internet service providers, telecommunications companies, credit agencies or banks (Richards, 2013). It is this national security-based collaboration with non-defence industry partners corporations whose products and services facilitate everyday life which is the significant point of departure. It would be naïve to assume that the US government provides the sole impetus for the collection of data from the private sector. The EU and Britain in particular have been willing partners in these developments (DeGoede, 2008). The USA, for example, were monitoring international bank transactions recorded in the Belgian-based SWIFT system illegally from Despite initial outrage when this was discovered, Europe eventually gave in to pressure from the USA and produced the SWIFT agreement in 2009, which gave the USA legal access to European financial transactions. The same is true of passenger name record sharing: a passenger name record, or PNR, is an airline s reservation system record which contains information about the passenger s booking. Mode of payment, seat and meal preferences would feature in the record. In 2011, Europe and the USA agreed to share PNR data, subject to a data protection safe harbour agreement. At the time of writing, however, the European Parliament has voted to suspend all security-related data sharing following the Edward Snowden revelations about the NSA and pending further data protection assurances. Within a legislative and political climate which is constantly emphasising private sector data gathering for government, a new political economy of security and surveillance has emerged. An entire industry has sprung up pedalling financial surveillance software and various countries around the world most notably South Africa 3 are seeking to emulate Europe s stance on PNR and Britain s approach to passport data capture. However, as this new political economy emerges, national security also becomes the latest domain for the titanic clash of public and private interests to play out. As Sennett (2006: 18) argues: 3 accessed April

19 CHAPTER ONE the multinational corporation used to be intertwined with the politics of the nation state the global corporation has investors and shareholders throughout the world and a structure of ownership too complex to serve national interests. Even though the global corporation is seen by some as vastly more powerful than the nation state, Sennett asserts that the current state of affairs is inherently destabilising for the corporation. Diffuse international ownership structures have resulted in what Bennett Harrison terms impatient capital empowered investors who want short term results. The demands of impatient capital mean that corporations have to adapt to such external demands for short term profitability and modify their internal structures accordingly. The ongoing impact of such modifications and hence instability on employees and local economies persistently foregrounds the question of government regulation and corporate social responsibility. Recent scandals over corporation tax payments by multinationals, irresponsible lending by banks and, of course, the financial crisis, alongside the perennial questions of globalisation and the environmental impact of capitalist production, highlight how at odds these two vast interest groups can be. Under what conditions then, and with what effects, could large corporations be enmeshed into national security arrangements? This research was conceived in 2008 and executed between At that point there had been no worldwide scandal about the mass surveillance of communications data by governments and no wider question of the private sector relationship in their sharing of consumer data. There was, however, widespread public awareness of The Surveillance Society. 4 In Britain surveillance had become an election issue as every political party promised to ensure that the records of innocent people were removed from the National DNA database. 5 There was also some academic concern about the levels of security to be implemented during the 2012 Olympic Games 6 as well as about the locus of surveillance, given that private sector actors were becoming more involved in the delivery of government services (particularly in the Criminal Justice, Health and Welfare arenas). By the 4 accessed 11th December accessed 11th December accessed 11th December

20 Consumer data and the war on terror time we came to write up the research, however, the ground had shifted to foreground the controversial involvement of the private sector in national security surveillance. The most significant development for our purposes was an open letter from the internet giants Google, Facebook, Twitter, Yahoo, Microsoft and LinkedIn imploring governments around the world to limit their surveillance powers in the name of free expression and privacy. At the time of writing, the letter can be found at Nearly all of these corporations, with the exception of LinkedIn, were implicated in the 2013 Snowden revelations. Using the Protect America Act 2007 and the FISA Amendments Act 2008, and suggesting a security-commerce win-win, the NSA offered selected internet corporations immunity from prosecution if they voluntarily co-operated with intelligence collection under its Prism programme. The NSA proceeded to collect customer data directly from the servers of Microsoft, Google and Yahoo (which provided 98% of the total dataset) as well as Skype, AOL, Facebook, YouTube, Apple and PalTalk. As they had been subject to court orders, the companies publicly denied any voluntary involvement with the programme, pointing out that they did not routinely share information with the NSA. Others gave the US government a less easy ride. Lavabit, Edward Snowden s e- mail service provider, chose to suspend its operations rather than provide the US government with the encryption keys for the information on their servers, which would have compromised the communications privacy of over 400,000 customers: a security-commerce lose-lose. Similarly, Twitter fought bitterly to prevent New York City gaining access to three months worth of tweets belonging to Occupy protestor Malcolm Harris. Eventually they capitulated under threat of a contempt of court ruling and heavy fines. The authors of the open letter would no doubt argue that communications data were gathered under legal duress (Bruce Schneier (2014) offers greater insight into the subtleties of such denials). 7 But a closer examination of the letter and its comments about trust on the Internet and the free flow of information in a 21st century economy belie the deep commercial concerns at the root of this protest. Threats to data security and privacy undermine brand value and commercial revenues as, in the words of Brad 7 acces sed March

21 CHAPTER ONE Smith of Microsoft, people won t use technology they don t trust. 8 The government s initiatives to collect communications data for security purposes is conflicting with these companies use of exactly the same data for commercial purposes. Indeed, this is at the very heart of their business models. For these companies, the creation of this securitised data flow is at odds with commercial priorities to the extent that they feel a need to protest against it. Their protest emphasised their need to maintain market position as trustworthy service providers they needed to appeal to the human rights agenda. The contribution of this book is to identify the different ways in which a situation like this can be examined as an organisational problem. We show how it can have deep and multi-layered impacts on firms and their employees. These impacts stem from organisations having to respond to seemingly irreconcilable regulatory and commercial demands. They reverberate throughout stakeholder networks and detrimentally affect those with the least power. At the level of management practice, such demands can be seen as a regulatory compliance problem, a Corporate Social Responsibility problem, a strategic problem, a problem of market positioning and customer relationship management and finally, because of firms internal politics of production, it is particularly a problem for labour. It is all of these things. We submit, however, that the unique experiential quality of these regimes for firms and their employees stems from the fact they constitute firms as intermediaries in large scale surveillance infrastructures. Firms are so constituted through practices of securitisation. Because consumer data is of such interest for national security, it grows in importance as a source of intelligence about the identities and activities of criminals and terrorists. As Huysmans (2014) argues, security is accomplished by foregrounding the insecurities inherent in any situation and, then, by mobilising resources to address them. Such insecurities stem from the legal responsibilities that come with identifying and handling potentially important information which is also commercially important. Introducing national security into commercial processes introduces new vulnerabilities into commercial operations. To construct something as a security matter does something, both analytically and practically, and it is this: To securitise a practice enacts it as dangerous. 8 See footnote 7. 20

22 Consumer data and the war on terror Our empirical focus is on the Anti-Money Laundering/Counter Terrorism Financing (AML/CTF) and eborders regimes. In the former scheme, banks, building societies, insurance companies and other financial services organisations are expected to look into the backgrounds of their customers for any suspicious activity when they buy a new product, and to monitor on-going transactions for anything out of the ordinary. If they have sufficient suspicion they are to submit a suspicious activity report to the National Crime Agency (NCA) (which used to be called the Serious Organised Crime Agency or SOCA), and are criminalised if they fail to do so. In the latter, airlines and their downstream supply chains are to collect passport data in advance of travel and transfer it to the UK Border Agency for screening against watch-lists, once again under threat of criminalisation. As regulation put in place to feed into national security strategy, both AML/CTF and eborders enact and constitute the activities which pervade the commercial practices of enabling people to travel and enabling people to use money as being shot through with insecurities. These new insecurities result in organisational tensions, competing pressures on resources as well as new anxieties introduced into the firms operation. We find that many of these anxieties arise from the responsibilities which the regulations place upon organisations. Critically, as security practices become part of organisational routines, the ongoing burden of compliance rests with those in customer-facing jobs. We explore how national security processes interact with local workplace politics as they simultaneously intensify employee workloads and fundamentally change the roles they perform. Ultimately we counter recent arguments made by security studies specialists which suggest that the diffusion of security practices de-politicises security. As security becomes diffused it re-emerges in local political circulations, takes on a new political significance and opens up new possibilities for debate and resistance. We shall continue to see a struggle for legitimacy between the insecurities of security and business priorities as a securitised information flow gets forged. Security, surveillance, transdisciplinarity The book is positioned at the interstices of a number of business and social science disciplines organisation studies; marketing; information systems 21

23 CHAPTER ONE and surveillance studies and employs theory and method from all of them. Within this work, we draw on a generic definition of surveillance as any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered (Lyon, 2001:2). The argument we build is grounded not only in the theory, politics and practice of mass consumer surveillance and the discrimination, exclusion and social sorting that results, but also in the critical observation that such practices are a fundamental part of modern organising. As bureaucracies began to form in order to manage local populations and to supply goods and services, so did information systems containing records of individual customers and citizens (Beniger, 1986). With the growth of information processing capacity, oversight, management and manipulation of these datasets became possible and modern surveillance was born. So, in our view, surveillance is not a malign plot hatched by evil powers (Surveillance Studies Network, 2006), but a process of information gathering, analysis and application which makes modern living possible. Developing surveillance capacity is hence a normal part of both the governmental and private sector agenda: however, it is in the context of national security that these two surveillant domains begin to join up and fragment in new and powerful ways. For private sector organisations, surveillance emerges as a way of monitoring resource use, productive capacity and managing risk and liability. A key development in the last 20 years has been that of customer relationship management (CRM) where customer transaction data are monitored to identify tastes, preferences and maintain the long term customer relationship. This strategy involves the mining of customer information to anticipate and service customer needs. It is used with varying degrees of sophistication across a variety of industrial sectors. It has proved particularly effective for many large financial service organisations, enabling them to identify lucrative groups of consumers, target products appropriate to those consumers and generate revenue (see Dibb and Meadows, 2004). Data analysis in the national security context often relies on the very same transactional data as CRM, and on similar statistical techniques, to sort through those data and identify suspicious activity. CRM focuses on the attractive customers, whereas national security practices seek to find the risky ones. Indeed the point of customer contact for the organisation is frequently the point of data capture for the national security regimes we investigate. Work 22